Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform.
“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said in an advisory.
The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues.
Salesforce did not disclose how many customers were impacted by the incident, but said it has notified them.
“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the company added. “The activity appears to be related to the app’s external connection to Salesforce.”
Out of an abundance of caution, the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked. “This may also impact Oauth access for customer connections while the review is taking place,” Gainsight said. “No suspicious activity related to Hubspot has been observed at this point.”
In a post shared on LinkedIn, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), described it as an “emerging campaign” targeting Gainsight-published applications connected to Salesforce by compromising third-party OAuth tokens to potentially gain unauthorized access.
The activity is assessed to be tied to threat actors associated with the ShinyHunters (aka UNC6240) group, mirroring a similar set of attacks targeting Salesloft Drift instances earlier this August.
According to DataBreaches.Net, ShinyHunters has confirmed the campaign is their doing and stated that the Salesloft and Gainsight attack waves allowed them to steal data from nearly 1000 organizations.
Interestingly, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attack. But it’s not clear at this stage if the earlier breach played a role in the current incident.
In that hack, the attackers accessed business contact details for Salesforce-related content, including names, business email addresses, phone numbers, regional/location details, product licensing information, and support case contents (without attachments).
“Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations,” Larsen pointed out.
In light of the malicious activity, organizations are advised to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications, and rotate credentials if anomalies are flagged from an integration.
